20260615-linuxkm-fixes#10696
Conversation
|
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10696
Scan targets checked: linuxkm-bugs, linuxkm-src, wolfcrypt-bugs, wolfcrypt-rs-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
douzzer
force-pushed
the
20260615-linuxkm-fixes
branch
from
abfe536 to
2844cd1
Compare
|
retest this please |
|
Nice, this fixes |
philljj
left a comment
philljj
left a comment
There was a problem hiding this comment.
Tests good, just some nits in review.
| unsigned int cSz, unsigned char* s, unsigned int sSz); | ||
| #else | ||
| struct Gcm; | ||
| WOLFSSL_LOCAL void __attribute__((nonnull(1))) GHASH(struct Gcm *gcm, const unsigned char* a, |
There was a problem hiding this comment.
dumb question, is this redundant with the change in aes.h?
Also can WC_ARG_NOT_NULL be used here?
There was a problem hiding this comment.
Not on old FIPS -- that's what it's for.
And WC_ARG_NOT_NULL doesn't exist yet when linuxkm_wc_port.h is evaluated, alas. That's why it's also using unsigned char * instead of byte *, etc.
| if (unlikely(ret == WC_NO_ERR_TRACE(RNG_FAILURE_E))) { | ||
| if (slen > 0) { | ||
| ret = -EINVAL; | ||
| if (slen > 0) |
There was a problem hiding this comment.
nit: could condense this to if (slen > 0 || retried) break; now.
Of if they are worth being separate checks, maybe a short 1 line comment explaining what slen > 0 vs retried means in error conditions.
There was a problem hiding this comment.
Need to be separate so that instrumentation (--enable-debug-trace-errcodes) shows what failed.
IIRC, the slen situation isn't retryable because the whole point of a gen paired with a seed is to have the seed deterministically determine what's gen'd, which it wouldn't if a reinit were done midstream. This could be bikeshedded to work right on reinit but clearly isn't worth the extra trouble.
…gcc-16: linuxkm/linuxkm_memory.c: use packed-struct intermediates rather than memcpy()s for wc_get_unaligned() and wc_put_unaligned(). linuxkm/linuxkm_wc_port.h: on old FIPS, retrofit nonnull attribute to GHASH() arg 1, so that it unconditionally writes out the hash. wolfcrypt/src/aes.c and wolfssl/wolfcrypt/aes.h: in GHASH(), add nonnull attribute to arg 1, and remove runtime nullness check for arg 1 in the implementations.
…_drbg_generate() (followup to 3c9996e in wolfSSL#10688).
…decrypt: * add WC_VAES_MIN_BLOCKS, WC_VAES_ECB_MIN_BLOCKS, and WC_VAES_GCM_MIN_BLOCKS, and check against them before using AVX512/VAES implementations. * in AesCfbDecrypt_C(), enlarge the tmp[] buffer and parameterize its size with newly added WC_AES_CFB_DEC_BUF_BLOCKS.
…ce lists in FIPS v2/v5/v6 sections.
…t (where foo is a stylization of the filename), before including libwolfssl_sources.h, to allow future file-specific suppressions or other settings without altering FIPS sources.
…lfcrypt/src/pkcs7.c, wolfcrypt/test/test.c: * implement wc_local_AesGcmCheckTagSz() with pedantic checks for valid authtag size. SP 800-38D restrictions are now uniformly imposed, unless WC_AES_GCM_ALLOW_NONSTANDARD_TAG_LENGTH is defined (not allow with FIPS). * refactor tag size checks in wc_AesGcmEncrypt(), wc_AesGcmDecrypt(), wc_AesGcmEncryptFinal(), wc_AesGcmDecryptFinal(), and wc_PKCS7_DecodeAuthEnvelopedData(). * in test.c, update aesgcm_non12iv_test() to skip tag sizes expected to fail.
* in slhdsa_keygen_kat() and slhdsa_id_label_test(), pass devId to wc_SlhDsaKey_Init*() * in cryptocb_test(), inhibit the callback verification check for SLHDSA if FIPS (no crypto callbacks in FIPS-wrapped calls).
…l/wolfcrypt/memory.h: add WC_SVR_FLAG_FUZZ, implement support for DEBUG_VECTOR_REGISTER_ACCESS_FUZZING directly in the save/restore implementations, and properly reflect existing save state there and in the _FUZZING variants of SAVE_VECTOR_REGISTERS2().
configure.ac: * remove -DWC_SHA3_NO_ASM from ENABLED_LINUXKM AM_CFLAGS. * refactor initial setup for KERNEL_MODE_DEFAULTS, adding generic --enable-kernel-settings while retaining legacy --enable-linuxkm-defaults. * rename $DEF_SP_MATH to $DEF_SP_MATH_ALL. * remove redundant and unneeded setup for KERNEL_MODE_DEFAULTS and ENABLED_LINUXKM (leverage existing setup in settings.h). * move some still-needed KERNEL_MODE_DEFAULTS and ENABLED_LINUXKM setup from configure.ac to settings.h. * set up -DWOLFSSL_KERNEL_MODE_DEFAULTS, so that settings.h can pivot on it. wolfssl/wolfcrypt/settings.h: * revise WOLFSSL_LINUXKM section of settings.h to require WOLFSSL_MIN_AUTH_TAG_SZ at least 8 for old FIPS and 12 for new FIPS. still force down to 4 bytes if crypto fuzzer is enabled, otherwise force down to 8 to support legacy IPsec ESP. * in the WOLFSSL_LINUXKM section, don't set WC_MLKEM_NO_ASM, and disable DEBUG_VECTOR_REGISTER_ACCESS_FUZZING in ML-KEM, ML-DSA, and SLH-DSA -- intelasm works right, but fuzzing doesn't (yet).
…hat WOLFSSL_MIN_AUTH_TAG_SZ meets SP 800-38D Rev 1 requirements.
…pport for CheckOcspResponder() (WOLFSSL_NO_OCSP_ISSUER_CHECK is no longer implied by KERNEL_MODE_DEFAULTS).
…remove indirect symbol support for strncpy and add backward-compat implementation wc_linuxkm_strncpy().
…uxkm/linuxkm_memory.c, wolfcrypt/src/random.c, wolfcrypt/test/test.c, wolfssl/wolfcrypt/mem_track.h, wolfssl/wolfcrypt/memory.h, wolfssl/wolfcrypt/settings.h).
…ullness check for arg 1 (matching nonnull attribute to arg 1 added to prototype in earlier commit).
* disable asm accelerations if WC_SHA3_NO_ASM is set. * fix an uninited-data warning in slhdsakey_wots_pkgen_chain_c().
* wolfssl/ocsp.h: gate out the CheckOcspResponder() prototype if defined(CheckOcspResponder) (for linuxkm-pie). * wolfcrypt/src/wc_mldsa.c: add support for WC_MLDSA_NO_ASM. * .wolfssl_known_macro_extras: add new macros.
linuxkm/: when logging PTR_ERR(), cast it to int, and use "%d" as the format. Globally, `#define PTR_ERR(x) ((int)PTR_ERR(x))` in linuxkm_wc_port.h to fix clang warnings on kernel headers. linuxkm/lkcapi_aes_glue.c: add casts in linuxkm_test_aesgcm() to mollify clang. linuxkm/linuxkm_wc_port.h, linuxkm/module_hooks.c: * add __clang__ compat code to allow including clang stdatomic.h while masking out kernel-incompatible __CLANG_STDINT_H. * add clang-specific suppressions for kernel headers (-Wshorten-64-to-32, -Wframe-address). linuxkm/lkcapi_sha_glue.c: * in wc__get_random_bytes(), add bounds-checking for len. * in wc_extract_crng_user(), fix type conflicts. wolfssl/wolfcrypt/wc_port.h and wolfssl/wolfcrypt/types.h: * move the old-FIPS compatibility mapping from INLINE to WC_INLINE from types.h to wc_port.h. * activate stdatomic.h for clang kernel module builds. linuxkm/Kbuild: * add clang-specific flags. * add gcc gate around gcc-specific flags. * allow override value for MAX_STACK_FRAME_SIZE. wolfcrypt/src/asn.c: add casts in GetFormattedTime_ex() to mollify clang build of linuxkm.
douzzer
force-pushed
the
20260615-linuxkm-fixes
branch
from
2844cd1 to
262b0ed
Compare
|
retest this please |
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10696
Scan targets checked: linuxkm-bugs, linuxkm-src, wolfcrypt-bugs, wolfcrypt-port-bugs, wolfcrypt-rs-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src
Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
| } | ||
| return dstart; | ||
| } | ||
| #define strncpy wc_linuxkm_strncpy |
There was a problem hiding this comment.
🔵 [Low] strncpy redirect silently drops zero-fill guarantee · API contract violations
#define strncpy wc_linuxkm_strncpy transparently substitutes all strncpy calls (kernel >= 7.2.0), but the reimplementation null-terminates after a short source without zero-filling the rest of the buffer, leaving trailing bytes uninitialized. Callers relying on the standard zero-fill contract read garbage.
Fix: Either zero-fill the remaining bytes to match strncpy semantics, or redirect under a wolfSSL-specific name rather than the standard strncpy.
There was a problem hiding this comment.
Deliberate -- as explained in the implementation,
/* don't bother zero-filling dst. */
| WOLFSSL_MSG("AuthEnvelopedData GCM authTag too small"); | ||
| ret = ASN_PARSE_E; | ||
| encOID == AES256GCMb)) { | ||
| ret = wc_local_AesGcmCheckTagSz(authTagSz); |
There was a problem hiding this comment.
🟠 [Medium] wc_local_AesGcmCheckTagSz() called unguarded in PKCS7 CCM-capable path · Switch fallthrough bugs (conditional compilation)
wc_local_AesGcmCheckTagSz is declared (aes.h:618) and defined (aes.c) only under #ifdef HAVE_AESGCM, but this call site is not #ifdef-guarded while wc_PKCS7_DecodeAuthEnvelopedData compiles under HAVE_AESGCM || HAVE_AESCCM. A CCM-only PKCS7 build fails with implicit-declaration / undefined-reference. The prior code used the always-defined macro WOLFSSL_MIN_AUTH_TAG_SZ.
Fix: Wrap the GCM tag-size check in #ifdef HAVE_AESGCM (or otherwise guard the call so CCM-only builds compile).
…date AES*GCMb with !HAVE_AESGCM, and add AES-CCM authTagSz check.
…AesGcmCheckTagSz() with C++ (namespace breakage).
douzzer
force-pushed
the
20260615-linuxkm-fixes
branch
from
642c614 to
d69d49c
Compare
|
retest this please |
…date old FIPS using old authTagSz check.
…atest FIPS; tests/api.c: use WOLFSSL_FILETYPE_PEM, not SSL_FILETYPE_PEM; tests/api/test_dtls.c and tests/api/test_dtls13.c: use WOLFSSL_ERROR_WANT_READ, not SSL_ERROR_WANT_READ.
|
retest this please |
4 participants
fixes for false positives on linuxkm CONFIG_FORTIFY_SOURCE builds on gcc-16:
linuxkm/linuxkm_memory.c: use packed-struct intermediates rather thanmemcpy()s forwc_get_unaligned()andwc_put_unaligned().linuxkm/linuxkm_wc_port.h: on old FIPS, retrofit nonnull attribute toGHASH()arg 1, so that it unconditionally writes out the hash.wolfcrypt/src/aes.candwolfssl/wolfcrypt/aes.h: inGHASH(), addnonnullattribute to arg 1, and remove runtime nullness check for arg 1 in the implementations.linuxkm/lkcapi_sha_glue.c: refactor error code handling inwc_linuxkm_drbg_generate()(followup to 3c9996e in #10688).wolfcrypt/src/aes.c: fix performance regressions on GMAC and AES-CFB decrypt:WC_VAES_MIN_BLOCKS,WC_VAES_ECB_MIN_BLOCKS, andWC_VAES_GCM_MIN_BLOCKS, and check against them before using AVX512/VAES implementations.AesCfbDecrypt_C(), enlarge the tmp[] buffer and parameterize its size with newly addedWC_AES_CFB_DEC_BUF_BLOCKS.src/include.am: remove wolfcrypt/src/aes_x
86_64_asm.S from AESNI source lists in FIPS v2/v5/v6 sections.in all FIPS-relevant C sources, add a "#define
_WC_BUILDING_foo" first (where foo is a stylization of the filename), before includinglibwolfssl_sources.h, to allow future file-specific suppressions or other settings without altering FIPS sources.wolfcrypt/src/aes.c, wolfcrypt/src/port/,wolfssl/wolfcrypt/aes.h,wolfcrypt/src/pkcs7.c,wolfcrypt/test/test.c:wc_local_AesGcmCheckTagSz()with pedantic checks for valid authtag size. SP 800-38D restrictions are now uniformly imposed, unlessWC_AES_GCM_ALLOW_NONSTANDARD_TAG_LENGTHis defined (not allow with FIPS).wc_AesGcmEncrypt(),wc_AesGcmDecrypt(),wc_AesGcmEncryptFinal(),wc_AesGcmDecryptFinal(), andwc_PKCS7_DecodeAuthEnvelopedData().test.c, updateaesgcm_non12iv_test()to skip tag sizes expected to fail.wolfcrypt/test/test.c:slhdsa_keygen_kat()andslhdsa_id_label_test(), pass devId to wc_SlhDsaKey_Init*()cryptocb_test(), inhibit the callback verification check for SLHDSA if FIPS (no crypto callbacks in FIPS-wrapped calls).linuxkm/x86_vector_register_glue.c,linuxkm/linuxkm_wc_port.h,wolfssl/wolfcrypt/memory.h: addWC_SVR_FLAG_FUZZ, implement support forDEBUG_VECTOR_REGISTER_ACCESS_FUZZINGdirectly in the save/restore implementations, and properly reflect existing save state there and in the _FUZZING variants of ``SAVE_VECTOR_REGISTERS2().wolfcrypt/src/sha3.c: refactorWC_C_DYNAMIC_FALLBACKusing ``SAVE_VECTOR_REGISTERS2().clean up setup code for kernel modules:
configure.ac:DWC_SHA3_NO_ASMfromENABLED_LINUXKMAM_CFLAGS.KERNEL_MODE_DEFAULTS, adding generic--enable-kernel-settingswhile retaining legacy--enable-linuxkm-defaults.DEF_SP_MATHto $DEF_SP_MATH_ALL.KERNEL_MODE_DEFAULTSandENABLED_LINUXKM(leverage existing setup insettings.h).KERNEL_MODE_DEFAULTSandENABLED_LINUXKMsetup fromconfigure.actosettings.h.DWOLFSSL_KERNEL_MODE_DEFAULTS, so thatsettings.hcan pivot on it.wolfssl/wolfcrypt/settings.h:revise
WOLFSSL_LINUXKMsection ofsettings.hto requireWOLFSSL_MIN_AUTH_TAG_SZat least 8 for old FIPS and 12 for new FIPS. still force down to 4 bytes if crypto fuzzer is enabled, otherwise force down to 8 to support legacy IPsec ESP.in the
WOLFSSL_LINUXKMsection, don't setWC_MLKEM_NO_ASM, and disableDEBUG_VECTOR_REGISTER_ACCESS_FUZZINGin ML-KEM, ML-DSA, and SLH-DSA -- intelasm works right, but fuzzing doesn't (yet).add hard compile-time assert in
settings.hfor FIPS v7+ asserting thatWOLFSSL_MIN_AUTH_TAG_SZmeets SP 800-38D Rev 1 requirements.linuxkm/linuxkm_wc_port.h,linuxkm/module_hooks.c: add linuxkm-pie support forCheckOcspResponder()(WOLFSSL_NO_OCSP_ISSUER_CHECKis no longer implied byKERNEL_MODE_DEFAULTS).linuxkm/linuxkm_wc_port.h,linuxkm/module_hooks.c: on kernel >= 7.2, remove indirect symbol support for strncpy and add backward-compat implementationwc_linuxkm_strncpy().replace several nonconformant uses of
__FUNCTION__with func (linuxkm/linuxkm_memory.c,wolfcrypt/src/random.c,wolfcrypt/test/test.c,wolfssl/wolfcrypt/mem_track.h,wolfssl/wolfcrypt/memory.h,wolfssl/wolfcrypt/settings.h).wolfcrypt/src/port/riscv/riscv-64-
aes.c: inGHASH(), remove runtime nullness check for arg 1 (matching nonnull attribute to arg 1 added to prototype in earlier commit).wolfcrypt/src/wc_slhdsa.c:WC_SHA3_NO_ASMis set.slhdsakey_wots_pkgen_chain_c().linuxkm-related loose ends:
wolfssl/ocsp.h: gate out theCheckOcspResponder()prototype if defined(CheckOcspResponder) (for linuxkm-pie).wolfcrypt/src/wc_mldsa.c: add support forWC_MLDSA_NO_ASM.tweaks for linuxkm targeting clang-built kernels:
linuxkm/: when logging ``PTR_ERR(), cast it to int, and use "%d" as the format. Globally, `#define `PTR_ERR`(x) ((int)`PTR_ERR`(x))` in `linuxkm_wc_port.h` to fix clang warnings on kernel headers.linuxkm/lkcapi_aes_glue.c: add casts inlinuxkm_test_aesgcm()to mollify clang.linuxkm/linuxkm_wc_port.h,linuxkm/module_hooks.c:stdatomic.hwhile masking out kernel-incompatible__CLANG_STDINT_H.linuxkm/lkcapi_sha_glue.c:wc__get_random_bytes(), add bounds-checking for len.wc_extract_crng_user(), fix type conflicts.wolfssl/wolfcrypt/wc_port.handwolfssl/wolfcrypt/types.h:WC_INLINEfromtypes.htowc_port.h.stdatomic.hfor clang kernel module builds.linuxkm/Kbuild:MAX_STACK_FRAME_SIZE.wolfcrypt/src/asn.c: add casts inGetFormattedTime_ex()to mollify clang build of linuxkm.tested with